2026-05-07 17:49:25 +01:00
1 changed files with 6 additions and 1 deletions
@@ -52,7 +52,12 @@ ProtectSystem=full
 # whenever a new SecretsKey is minted, so we need a targeted
 # write-exemption for that dir. No exemption for the rest of /etc:
 # the agent has no business editing /etc/passwd, /etc/sudoers, etc.
-ReadWritePaths=/etc/restic-manager
+#
+# /usr/local/bin is writable so the self-update flow (P6-01) can
+# atomic-rename a fresh binary over the running one. Permitting the
+# whole directory (rather than just the binary path) is required
+# because os.Rename takes a write lock on the parent dir.
+ReadWritePaths=/etc/restic-manager /usr/local/bin
 ProtectHostname=true
 ProtectKernelTunables=true
 ProtectKernelModules=true